(RHSA-2005:357) gzip security update

The gzip package contains the GNU gzip data compression program.

A bug was found in the way zgrep processes file names. If a user can be
tricked into running zgrep on a file with a carefully crafted file name,
arbitrary commands could be executed as the user running zgrep. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-0758 to this issue.

A bug was found in the way gunzip modifies permissions of files being
decompressed. A local attacker with write permissions in the directory in
which a victim is decompressing a file could remove the file being written
and replace it with a hard link to a different file owned by the victim.
gunzip then gives the linked file the permissions of the uncompressed file.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2005-0988 to this issue.

A directory traversal bug was found in the way gunzip processes the -N
flag. If a victim decompresses a file with the -N flag, gunzip fails to
sanitize the path which could result in a file owned by the victim being
overwritten. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-1228 to this issue.

Users of gzip should upgrade to this updated package, which contains
backported patches to correct these issues.